Helping people with computers... one answer at a time.
https is an important part of keeping your data safe, but it's only a part. It's important to understand what it means and what it doesn't mean.
•
"https", or secure http, is an important part of keeping your data safe.
But it's only a part.
•
Https connections do two things: they encrypt your data so that it is nearly impossible to sniff, and they provide an opportunity for your browser to validate that the website is who you think it is.
Let's look at each of those in a little more depth.
Encryption is simply a way of scrambling the information that you sent to a web site, and that the web site might send back to you. In an https connection it works both ways: data that you send, say an account name and password you enter in a login form, is encrypted and sent to the remote site where it is decrypted so it can be used. Data coming back, perhaps the amount of money you have in your checking account when you visit your bank's site, is encrypted by the web server, sent to your browser, and decrypted so that your browser can display it on screen.
Encryption is important because only you and the remote site can understand the data. Anyone in between ... say someone who's monitoring the information going to and from your computer ... sees only gibberish. It's an important way to keep your private data out of the hands of hackers and thieves.
Another important aspect of https security, is that it can be used to validate that the site you are connecting to really is who they claim to be. The server-side of an https connection uses information, called a certificate, which can be checked, and validated, against trusted authorities. If that check fails, then your browser will warn you. Perhaps the certificate has expired (though you should check your computer's clock if you see that), or perhaps the certificate does not actually match the site you think you're visiting. Both are things that should give you pause.
Now this server validation step is actually a kind of optional part of https. A server can elect to use an untrusted certificate - but every visitor to that site will get a warning that the certificate is not trusted. The data will still be encrypted.
Why would a server elect to do that? Well, certification costs money. Not a lot, but it is an extra step, and not all cases really require it. Sometimes encryption is enough.
Now, everything I've talked about so far is only about the technology of communicating between you and a web server. Your data is encrypted and you are talking to the web site you think you are.
But it tells you nothing about whether the site you are talking to is legitimate, or whether they are keeping your data safe once it's on their server. Your data arrived there safely ... but what did they do with it after that?
Any web site owner can easily, and inexpensively throw together https support. But an https connection doesn't imply that they are legitimate.
You still need to know who you're talking to. Make sure that you've got the website URL correct, and that they're a legitimate business. That's what phishing scams are all about ... trying to get you to visit sites that look legitimate, but aren't. And they might even support https.
(And don't forget to keep your side of the connection clean too - practice safe computing!)
Article C2421 - September 8, 2005
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Bob's example goes to "http" so of course it would NOT be
encrypted.
That same example, to a server that supports "https" would
be encrypted.
What matters is that the URL of the page getting the
parameters, be it via a POST or a GET be an https URL.
Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
iD8DBQFIVUnKCMEe9B/8oqERAtd7AJ4xwKv/XGJLCt7cZVw5BsTgybqhmACfSgYT
Posted by: Leo at June 15, 2008 9:56 AM7LBS5HM9loiRsrnjTZwerhY=
=swIp
-----END PGP SIGNATURE-----
In the office, is your chat still can be read by network administrator even by using https? Thanks Leo!
Posted by: Aditya at November 2, 2009 6:36 PMTHIS KEEP COMMING UP ON MY COMPUTER WHEN I AM E-MALE MY SON ON CORRLINK AND IT REALL GET ON MY NERVE IF I PUSH YES IT COME BACK AND IF I PUSH NO IT STILL DO THE SAME THING
Posted by: Anonymous at December 22, 2010 6:23 PMWhy does Google calendar show a crossed out https in the URL bar (when browsing with Chrome)? What is crossed out https?
12-Apr-2011
Posted by: Jeff at April 12, 2011 1:02 AM
HTTPS connection keeps popping every move I make on web page. It is becoming a nusicances can you help.
01-May-2011
Posted by: abie gonzalez at May 1, 2011 2:47 PM